Forbidden file extension when restricting file types Forbidden file extension when restricting file types
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Forbidden file extension when restricting file types

Started by rgroves, January 10, 2005, 07:33:07 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

rgroves

I believed I solved my own problem, but figured I'd post it here for two reasons: One, because I could not find my exact problem/solution when searching the forums and maybe this will be of use to someone else; and two, because I'd like to know if my fix is going to break something somewhere else!  :-\\

In my config settings I had "Allowed image types" set to jpg,png. When uploading either a jpg or png image file, I would get the following messages: "0 uploads were successful" (in the Information section) and "Forbidden file extension" (in the Error Report section).

If I changed the Allowed image types setting to ALL my uploads worked fine, but not when restricting the types on the config page as it states in the doc ("If you want to restrict the allowed file types to certain types only, enter a coma-separated list of extensions, e.g. jpg,bmp,tif").

After digging through some of the php files I found the solution in the media.functions.inc.php file. The code validates the user specified file types against the Coppermine allowed file types. If the Coppermine allowed file type is found in the user specified allowed file types it is added to the valid file types array ($FILE_TYPES). However, the thing that caught my eye was that it wraps the extensions in forward-slashes during the search (strpos() on line 33). Therefore, when I was using jpg,png what was basically happening, for example, was that it was searching for /jpg/ within /jpg,png/ which, of course, it would never find (same goes for /png/).

I believe the solution to be use a forward-slash-separated list of extensions on the config page for the "Allowed file types" settings. I've tested that and it does SEEM to work. Although, it could be that the code needs a str_replace() to change commas to forward-slashes in media.functions.inc.php in the strpos() on line 33?

I'm interested in knowing if the code needs to be patched or the documentation updated? (i.e. somewhere else in the code it may be expecting that list of types to be comma-separated, in which case I'm screwing myself by using the forward-slashes).

If someone can post a reply stating the workaround that should be used (or that I'm totally off my rocker :P), I'd appreciate it. Thanks!

Joachim Müller

I PMed the dev who introduced the form that is currently used, asking him to take a look at your suggestion. Imo the user interface should become more user friendly for this particular feature (a form with checkboxes) in the future, but this is rather a feature request than an actual support related question.

Joachim

omniscientdeveloper

The reason there is a forward slash, instead of a comma, is that the code everywhere else expects forward slashes, so instead of changing it to commas, I left it as is.

I don't really feel the interface is bad. I was going to say that I had put instructions right next to the box, but I see that they've been removed and changed somehow. It should've stated forward slashes instead of commas. I can update the help file though.


-omni

Joachim Müller

@omni: doesn't the help icon appear in cpg1.4.x for you next to the config settings, explaining what is supposed to be in that field?

Joachim

omniscientdeveloper

You know what....Don't mind me. I'm doing too many things. In version 1.3, I don't see anything about the proper format. Maybe it was never there. Maybe it was removed. I can't remember. In version 1.4, there is a "? " pointing to the help file. This says that extensions should be delimited by commas, when it should be forward slashes. The reason is, unless something has changed, the upload page looks for this list to be seperated by commas. When I implemented this, rather than change the whole process, which worked, I just added to it....Maybe that was the m$ way to do it.  :o